Happy Friday and with the weekend upon us, I wanted to share some fun new consumer health privacy laws out of Washington! That’s right as if keeping up with all the consumer privacy laws each state is rolling out, which feels like almost monthly at this point, WA is now extending consumer health privacy past the thresholds of HIPPA. Enter the Washington My Health My Data Act, think Consumer Data Privacy but make it health, which was signed into law yesterday and has a very speedy, IMO, effective date of July 23, 2023! You read that right, just a few months to review and streamline your practices if this law affects your business. However, there are very specific timelines carved out for certain requirements, regulated entities will be required to comply with most of the law by March 31, 2024, while small businesses are given until June 30, 2024.
ere are a few notable takeaways about the My Health My Data Act, be sure to review the act in its entirety to see where your business practice may be affected.
Few key definitions:
“Consumer” means (a) a natural person who is a Washington resident; or (b) a natural person whose consumer health data is collected in Washington. “Consumer” means a natural person who acts only in an individual or household context, however identified, including by any unique identifier. “Consumer” does not include an individual acting in an employment context.
(a) “Consumer health data” means personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status.
By March 31, 2024, regulated entities and by June 30, 2024, small businesses will need to have a clear and conspicuously provided health data privacy policy in place. This policy needs to disclose the following:
-
The categories of consumer health data collected and the purpose for which the data is collected, including how the data will be used;
-
The categories of sources from which the consumer health data is collected;
-
The categories of consumer health data that is shared;
-
A list of the categories of third parties and specific affiliates with whom the regulated entity or the small business shares the consumer health data; and
-
How a consumer can exercise the rights provided in section 6 of this act.
Beginning March 31, 2024, all regulated entities and June 30, 2024, small businesses may not collect consumer health data unless:
-
Obtain consumer consent for specified purpose
-
Provide a product or service that the consumer requested from business that relates to their health data
The regulated entities and small businesses may not share consumer health data unless:
-
Consumer consent specific to share that is obtained separate of consent to collect
-
Provide a product or service that the consumer requested from business that relates to their health data
Consent must be obtained prior to the act of collecting or sharing through a clear and conspicuously disclosure of:
-
The categories of consumer health data collected or shared;
-
the purpose of the collection or sharing of the consumer health data, including the specific ways in which it will be used;
-
the categories of entities with whom the consumer health data is shared; and
-
how the consumer can withdraw consent from future collection or sharing of the consumer’s health data.
The rights around consumer health data may be a bit familiar.
-
Right to know and access
-
Right to withdraw consent for sharing
-
Right to delete
-
Businesses must notify all affiliates, processors, contractors, and third parties
-
All records including archived and backup systems
-
-
Consumer are allowed to exercise their rights through the same means of how they would typically interact with the regulated entity or small business
-
Provide an appeal process for denied requests
-
Provide the data free of charge twice annually
-
Must respond to requests within 45 days with a one-time extension of 45 days to process the request
-
Restrict access to only those necessary to provide the product or service within the regulated entity or small business
-
Establish and maintain data security practices
-
Provides a private right of action
It will be unlawful for any person to sell or offer to sell consumer health data without first obtaining a valid authorization from the consumer which must be separate of the consumer’s consent to collect or share their consumer health data. Valid consent collection must contain and be kept for six years.
(a) The specific consumer health data concerning the consumer that the person intends to sell;
(b) The name and contact information of the person collecting and selling the consumer health data
(c) The name and contact information of the person purchasing the consumer health data from the seller identified in (b) of this subsection;
(d) A description of the purpose for the sale, including how the 2 consumer health data will be gathered and how it will be used by the 3 purchaser identified in (c) of this subsection when sold;
(e) A statement that the provision of goods or services may not be conditioned on the consumer signing the valid authorization;
(f) A statement that the consumer has a right to revoke the valid authorization at any time and a description on how to submit a revocation of the valid authorization;
(g) A statement that the consumer health data sold pursuant to the valid authorization may be subject to redisclosure by the purchaser and may no longer be protected by this section;
(h) An expiration date for the valid authorization that expires one year from when the consumer signs the valid authorization; and
(i) The signature of the consumer and date.
Important to note that the practices of geofencing around an entity that provides in-person health services will be considered unlawful!